blue-team-tools/rules/windows/process_creation/win_susp_system_user_anomaly.yml

title: Suspicious SYSTEM User Process Creation
id: 2617e7ed-adb7-40ba-b0f3-8f9945fe6c09
status: experimental
description: Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)
references:
    - Internal Research
author: Florian Roth
date: 2021/12/08
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        IntegrityLevel: System
        User|contains|all: # covers many language settings
            - 'AUT'
            - 'SYSTEM' 
    selection_special:
        - Image|endswith:
            - '\calc.exe'
            - '\wscript.exe'
            - '\cscript.exe'
            - '\hh.exe'
            - '\mshta.exe'
            - '\forfiles.exe'
            - '\ping.exe'
        - CommandLine|contains:
            - 'sc stop ' # stops a system service
            - ' -NoP '  # Often used in malicious PowerShell commands
            - ' -W Hidden '  # Often used in malicious PowerShell commands
            - ' -decode '  # Used with certutil
            - ' /decode '  # Used with certutil
            - ' /urlcache '  # Used with certutil
            - ' -urlcache '  # Used with certutil
            - ' -e* JAB'  # PowerShell encoded commands
            - ' -e* SUVYI'  # PowerShell encoded commands
            - ' -e* SQBFAFgA'  # PowerShell encoded commands
            - ' -e* aWV4I'  # PowerShell encoded commands
            - ' -e* IAB'  # PowerShell encoded commands
            - ' -e* PAA'  # PowerShell encoded commands
            - ' -e* aQBlAHgA'  # PowerShell encoded commands
            - 'vssadmin delete shadows'  # Ransomware
            - 'reg SAVE HKLM'  # save registry SAM - syskey extraction
            - ' -ma '  # ProcDump
            - 'Microsoft\Windows\CurrentVersion\Run'  # Run key in command line - often in combination with REG ADD
            - '.downloadstring('  # PowerShell download command
            - '.downloadfile('  # PowerShell download command
            - ' /ticket:'  # Rubeus
            - ' sekurlsa'  # Mimikatz
            - ' p::d '  # Mimikatz 
            - ';iex('  # PowerShell IEX
            - 'MiniDump'  # Process dumping method apart from procdump
            - 'net user '
    condition: all of selection*
falsepositives:
    - Administrative activity
    - Scripts and administrative tools used in the monitored environment
    - Monitoring activity
level: high